Disable attach to process

Question

I am looking for a way to check and see if someone attached to a program/process I start.

I want to make it harder to reverse engineer my program by disabling attach to process.

Is this do able? is there some API call that will look to see if something is attached to my process and if so end process.

From my understanding I can or should be able to check this in my code and if i see that this is true i can just kill my self or whats attached to my self.

#if DEBUG
RTBconsole.Text = "Debug version";
#endif

This only stopped me from debugging my code I want to be able to stop any attachment form taking place on my process.

Answer 1

A few strategies...

#1:

There are some APIs for detecting the presence of a debugger:

• Debugger.IsAttached
• IsDebuggerPresent
• CheckRemoteDebuggerPresent

But there are obvious limitations here: if a debugger has suspended execution, this check is obviously useless. So this is not water-tight.

#2:

Attach your own debugger to the processes you care about. That way the user cannot attach their own (a process can only be debugged once simultaneously).

Of course the user could just kill your debugger process.

Or use a kernel debugger, which you cannot prevent or detect.

Which leads to the conclusion: at some level, as long as the user has full access to the system, they can do whatever they want, so be sure to weigh your anti-debugging efforts against the realization that it will take less time for a novice hacker to work around it.

Answer 2

To detect a managed debugger you can call System.Diagnostics.Debugger.IsAttached.

If you want to detect native debuggers the function you need is called IsDebuggerPresent. P/invoke it like this:

[DllImport("kernel32")]
static extern bool IsDebuggerPresent();

As @tenfour says, neither of these approaches is particularly effective against a resolute attacker – but then nothing is.